Information security is a journey and not a destination: Satyanandan Atyam, VP & CRO, Max Bupa Health Insurance

Challenges faced by CISOs are manifold. To champion the information security agenda in the business organisation, the CISO should be able to bring the future into the present so that he can do something about it now. This ability to provide the visibility of a future prepared organisation to business is critical. “The capability to bring the bottom up risk assessment on the technology controls, which could help to gauge if the organisation is future ready, and convincing the management is needed. The CISOs do not get the mandate to make the organisation future ready. They struggle to get the organization operate with security controls as per the risk assessment of existing risks. The challenge around budgets approvals for information security initiatives is a pertinent issue because RoI’s for such investments cannot be arrived. Though there have been attempts to create models around the RoI calculation, there has always been a challenge to convince the CFO organisation,”says Satyanandan Atyam, Vice President, CRO, Max Bupa Health Insurance.

Digital, real time analytics and AI adoption would be differentiators for the business to acquire and engage the customer. To implement these business requirements, require the IT to re architect/punch holes into the facades of security infra around the IT infrastructure. “This augments the risk surface for the organisations and they need to design and implement security technologies which are secured and enable an open IT architecture. The juxtaposition of the need and the risk is like a double-edged sword for the technology and risk teams,” he mentions.

Best practices

Atyam believes that information security is a journey and not a destination. There are always new challenges to meet. Executing a security strategic plan is a critical success factor for organisations that truly want to maximise their ability to manage information risk. Committing to this process takes resources and time. The best practice/baseline practices for the organisation to maintain a robust security posture are as below:

Identify your crown jewels
·         Prioritise the data which needs to be protected
·         Determine risk appetite basis risk assessment
·         Implement IT controls basis the risk assessment
·         Have review and response processes and strategies
·         Assess the maturity of the cyber security framework-testing methods

These should be part of the information security strategy of the organisation. A strong defense can’t happen if what is being defended isn’t understood. “The process should also determine how each asset impacts your operations and may include financial implications, reputational damage, or loss of business opportunities. This will help is prioritisation of efforts. Firms need to be aware of what policies and procedures they currently have in place including what solutions and controls can be added by their IT vendor to enhance their security. Be aware of what safeguards are available to assist you with your existing programs. Risk assessment would help in understanding the cyber security risks to the firm’s operations, functions, image, reputation, and assets,” avers Atyam.

Insider risk

The breach anatomy will increasingly trend towards either by the errors committed by the insiders or by the malicious insider initiating a connection to the external world. A malicious connection created from a trusted source (inside the organization) to malicious outsider is always effortless. This change in the attack methods has made it increasingly important to have awareness for the insiders and critical to plug the backdoors of any IT footprint for exploits. “The IT organisations are not control savvy and the vulnerability are left open for exploits. This poor hygiene in the internal IT environments is a risk which needs to be attended, not through an audit mechanism but through IT function driving the security as an agenda,” points out Atyam.

The CISO’s budget still piggy backs on the IT budgets. They still are not being provided separate budgets under the ambit of the risk function. This would continue till the point the share of information security initiatives is for the implementation of the IT security controls is higher.

Nowadays CISOs are being invited to the Board meeting to provide an assurance on the information security posture of the organisation. The relevance of information security is being a critical differentiator for business to contain risk and to ensure their digital journey is secured. CISOs would not have a say in decision-making at the Board, but are being heard when they table the risk and applicable risk containment initiatives.

Also read: Insurance industry goes on tech drive to expand coverage